VRF-Aware IPSec for Remote Access

Similar Messages

• Vrf Aware IPSEC

  Hi
  i am trying something inline with title mentioned but i m getting stuck up in getting my vpnclient establish the connectivity with my IPE box which is 7206.
  i have tried establishing the dynamic ipsec with my 6513 box configured to accept the same where its working fine w/o any issues but my bad luck i dont have a compatible ios to tune my 6513 box to support vrf aware ipsec and since i hv my 7206 supports the same functionality i didnt want 6513 to cater that feature.
  i hve even tried the same config of normal plain dynamic ipsec which i hv tried in 6513 switch but still i m getting into the same problem.
  i m getting remote peer is no longer responding in my vpn client.
  i m attching the config of my ipe box herewith this msg,pls do suggest how do i proceed to make it thru coz i m gone out of ideas and gone totally dry
  (coz trying/cracking this continously for hrs together..) :-(
  regds

  Hi
  thx a lot i got it working ,but do revert how come the same is working fine without any issues in my 6513 box without the above mentioned command.thtsy i got stumpeddd :-(
  any compatibility issues or any specifics been put to add this syntax in 7206 boxes alone ?coz i m aware of some boxes even in production network running dynamic ipsec stuffs without the above mentioned command..
  regds

• DMVPN + VRF-Aware IPSec

  Hi,
  Can we club DMVPN and VRF-Aware IPsec features ?
  Regards
  Mahesh

  Million thanks for this.
  This now works after disabling CEF on the public facing interface.
  Regards,
  Zahid

• 2800s, AIM-VPN-SSL2, vrf aware IPSEC, high CPU low throughput

  We have a couple of new 2821s deployed across a fibre link and they were originally running 12.4 (non T) versions using software encryption. We would get around 8Mb/s throughput. Upgrading to T to use the installed AIM cards we now see the AIM cards in use (show cry isakmp sa det shows then engine as aim vpn), but we still get the same throughput and high CPU. allowing CEF on the interface doubles throughput but with the same high CPU. The only process I can see going high is IP Input. Is this because of vrf aware ipsec - or any other suggestions?

  Hi Nick,
  I am having the same issue. We have a 2851 as a IPSEC VPN headend with an AIM VPN module but we are seeing high CPU usage(80%) with just 4-5mbps worth of traffic. I have an idea that I might have a NAT issue.
  We are currently running, NAT, ZFW, and IPSEC site 2 site VPN on the router.
  When I look at my ZONE firewall policy-map output it is showing all of my VPN traffic as process switched.
  Inspect
  Packet inspection statistics [process switch:fast switch]
  tcp packets: [14809800:0]
  udp packets: [145107:0]
  icmp packets: [20937:12]
  I have disabled the ZFW and still see high cpu although it is a little lower.
  Packets are not fragmented, CEF and fast switching looks to be enabled. I am using a route-map for my nonats. That is the only thing I can think of now.
  I have tried IOS 12.4(20)T3,4 and 12.4(15)T9. Same results.
  Anyone have some ideas?

• VRF-Aware IPsec with a Dynamic VTI

  Hello
  I am trying to configure VRF-aware IPSEC with e Dynamic VTI. I follow the guidelines from the document
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-2mt/sec-ipsec-virt-tunnl.html#GUID-C0A165BF-5866-4B13-BD73-0892B7E65488
  Acording to the example: "VRF-Aware IPsec with a Dynamic VTI When VRF is Configured Under an ISAKMP Profile" I should be able to configure both the vrf and virtual-template features under the same crypto isakmp policy.
  Unfortunalety, if I try to do that, I receive the following message
  R4(conf-isa-prof)#virtual-template 1
  % VRF already set for isakmp profile. Virtual Template not allowed
  Does anyody know why I am not able to follow the configuration from this example?
  My profile confguration, and the virtual-template configuration are as follows
  crypto isakmp profile A
     vrf A
     keyring A
     match identity address 192.168.0.2 255.255.255.255
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback2
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile A
  I am doing the test on the IOS 12.4(11)XW3 runningon 3725 router.
  Thank you in advance for any hints.
  Regards
  Lukas

  Lukas,
  I'm not sure but most likely this was not yet supported in 12.4.
  The document you refer to is for IOS 15.2. I don't know by heart if your 3715 can run 15.2, otherwise give 15.1(4)Mx a try ?
  hth
  Herbert

• I have a mac mini server which I want to set up for remote access from windows and mac pcs.  How do I do this.  I can access it form my home network OK

  I have a mac mini server which I want to set up for remote access from windows and mac pcs.  How do I do this.  I can access it form my home network OK

  Posted in error.

• Desperate help needed to configure WVC210 for remote access?

  Hi, I'm new and desperately need some help on setting up my WVC210 for remote access.
  I manage to setup and see images from my WVC210 using my home LAN via both wired and also wireless.
  I have 2 questions:
  (a) for wireless connection, i only manage to get connection to my WVC210 if i disable the wireless security from my router. But that means i'm opening my wireless LAN to everyone. How can i still get connection to the camera if i enable the wireless security from my router. (FYI: my router is 2Wire ADSL  from Singnet Mio)
  (b) how can i get connection to my WVC210 from outside or in my office? I type in the camera Fixed IP address (displayed on the front screen) on the web browser, by it shows a error page. Is there some setting that i might need to adjust ?
  Pls kindly help me
  Thank you.

  Bernard,
  For Item (2) is there any difference between the camera built-in dyndns updater versus the software updater? I am under the impression that the software updater is easier to manage.
  The biggest difference for you is that the camera always stays at the same location, and the laptop goes with you. Every time you access the internet from a different location with the laptop the software updater is sending the new IP address to dyndns.com. This causes you to lose access to your camera because the FQDN doesn't point to your home IP address anymore. Once the dyndns credentials are in the camera (or router) there is no management needed. The device will automatically update dyndns.com with your new IP address as it changes, and you do not need to do anything.
  For Item (3), are you saying port forward 1025 is it for the 2nd camera only or for both? Or is it 2nd camera use 1025 and first camera use 8080?
  Here's an example of what I mean:
  Camera 1: 192.168.1.210 port 1024. In router, forward port 1024 to 192.168.1.210
  Local Access: http://192.168.1.210:1024
  Remote Access: http://bernards210.dyndns.org:1024 (Example)
  Camera 2: 192.168.1.211 port 1025. In router, forward port 1025 to 192.168.1.211
  Local Access: http://192.168.1.211:1025
  Remote Access: http://bernards210.dyndns.org:1025 (Example)
  Camera 3: 192.168.1.212 port 1026. In router, forward port 1026 to 192.168.1.212
  Local Access: http://192.168.1.212:1026
  Remote Access: http://bernards210.dyndns.org:1026 (Example)
  to access the 2 camera outside, do i have to have another dyndns host name or can i use the current one for both camera?
  As you can see in the above example, the dyndns name remains the same for remote access to all three cameras. The only change is the port number at the end. Your router will translate the port number to the IP address that the port is forwarded to, allowing you to select the camera that you wish to view by changing the port number in the address.
  I was actually thinking that the camera web browser can show 2 camera at the same time. Is it possible?
  No. Each browser window will display a single camera. You can however opens multiple instances of your browser to allow viewing of more than one camera simultaneously. A better solution is to install the Video Monitoring Software that is included with the camera which allows you to view multiple cameras in the same window.

• LDAP vs local login for remote access

  Hi Team,
  I am evaluating the best means for single factor authentication for remote access (client to site or SSL VPN). The options I see are creating local usernames and password or integration with Active Directory via LDAP. What are the pros and cons of these solutions.
  I feel local logins are more secure comparitavely because the user first login using local login and password and then has to use the domain credentials for accessing corporate resources. Of course, this comes at an admistrator overload and local management of user names and passwords. Do you have any opinion on this? Any acknowledgement will be highly appreciated.

  Hello Manoj,
  IMO, I would never consider the LOCAL DB as an option for a corporate deployment. It does not scale and it is not easy to manage.
  Local DB is used in case you need to manage a number of 15 users for instance, so in this case it is managable, but when it comes to a higher number it is not an option.
  Active Directory is a better solution since it is meant to handle hundred of users and allows password-management for instance. Also you can have many ASA devices, performing DB bindings and queries to check the users credentials to the AD servers, so you don't need to deal with tons of user accounts on each ASA, for instance.
  If you are looking for a more secure way to authenticate your users you can consider two-factor authentication using certificates for instance:
  AnyConnect Certificate Based Authentication.
  Why to use AD:
  Pros
  Scalable.
  Easy to manage.
  Allows password-management.
  Cons:
  Expensive (not open AD solution).
  HTH.
  Please rate helpful posts.

• How to Use synchronous RFC calls during test run for remote accesses

  there is a Setting for the usage of RFC accesses from a tested system
  using eCATT.
  'X' - Use asynchronous RFC calls during test run for remote accesses
  ' ' - Use synchronous RFC calls during test run for remote accesses
  I developed an eCATT as following :
    SAPGUI ( SAPGUI_1 , Target_system_1 ).
    SAPGUI ( SAPGUI_2 , Target_system_2 ).
  My question is how to run the eCATT in a synchronous RFC calls
  PS: I do not want to change the Target_system to the same one in the
  above script of ecatt.Because I need to run it in 2 different Target
  systems sometime.
  for example, I give a Target_system_3 when run this eCATT
  I want the SAPGUI_1 and SAPGUI_2 run the Target_system_3 but not the
  Target_system_1 or Target_system_2 .
  Could you please tell me how to make it without the changes in script?
  Edited by: Weitong Liu on Mar 24, 2011 9:44 AM

  Hi Liu,
  Weitong Liu wrote:
  > ' ' - Use synchronous RFC calls during test run for remote accesses
  This is the standard option value. Asynchronous are not the standard way and used only for very special purposes.
  Weitong Liu wrote:
  > I developed an eCATT as following :
  >   SAPGUI ( SAPGUI_1 , Target_system_1 ).
  >   SAPGUI ( SAPGUI_2 , Target_system_2 ).
  > My question is how to run the eCATT in a synchronous RFC calls
  The commands will be executed in sequence. So each call will be synchronously replayed against TS1 and TS2.
  What is you issue with this standard procedure?
  Kind regards,
  Christoph

• How to enable second HD DVR for remote access?

  I easily got my first HD DVR setup for remote access and it worked perfetly for 1 day, then it stopped working.  After 2 hours on the phone with tech support, we got it to work again.  However, we were unable to get my second DVR setup.  He said that I could only have one DVR setup for remote access, is that true?  If not, any assistance would be much appreciated. 
  Thank you!

  glcockrum wrote:
  I easily got my first HD DVR setup for remote access and it worked perfetly for 1 day, then it stopped working.  After 2 hours on the phone with tech support, we got it to work again.  However, we were unable to get my second DVR setup.  He said that I could only have one DVR setup for remote access, is that true?  If not, any assistance would be much appreciated. 
  Thank you!
  Are you speaking of Remote Access from the Web?  ...or from a mobile phone?
  For Web Access it is absolutely NOT TRUE!
  I have TWO DVRs.  I can access both remotely from the web and schedule or delete recordings.
  The tech MAY have been speaking of (or confused about) the MULTI-ROOM capability that the DVR's have.
  Only one of the DVRs can be (and is) a Home Media (or Multi-Room) DVR, and therefore can share recordings with my other NON-DVR STB and communicates with any computer on my home network for PC-based Audio, Vieo and Image files, as well as connecting to the certain Internet video streaming sites.
  The other DVR is a standalone machine is this regard, but regardless, it still has remote access to control it from the Web.
  (I do not know anything about the Remote Access from a mobile phone capability, since I do have a Verizon Wireless contract.  THAT Remote Access may indeed be limited to just a single DVR.)

• Configure Time Capsule for remote access

  I have a second generation 2TB Time Capsule, operating on Bridge Mode, connected to an Arris Touchstone Telephony Gateway TG862. I want to configure Back to My Mac to be able to access the Time Capsule remotely.
  I've followed the basic steps and get this message from the settings in the iCloud Pane in System Preferences: Setup router for better performance. And this details: Contact your ISP for a different server address.
  I've tried Google and OpenDNS, and also disabling the Firewall in the Arris router, and still can't access the Time Capsule remotely.
  I also tried disabling NAT and seeing it up as Bridged in the router, and disabling Wireless as well, trying to configure the Time Capsule to serve NAT and DHCP to no avail.
  Any steps I'm missing or a whole different approach I should take to be able to access my Time Capsule remotely?
  Thank you in advance for any help.

  You will have to learn how to port forward in your Arris Gateway..
  Arris Touchstone Telephony Gateway TG862
  The easiest way is to simply google it.
  http://forums.comcast.com/t5/Home-Networking-Router-WiFi/Port-forwarding-in-Arri s-TG852G-CT/td-p/954929
  It certainly appears to be problematic.. which is not surprising... If you really need remote access I would request a pure modem from your ISP (Comcast??) or simply replace it with one in the list. You will need to turn off any inbuilt firewall in the router and use DMZ perhaps to the TC.
  There is a few posts on youtube which also might help you. eg
  https://www.youtube.com/watch?v=_8tKBHvCz_0
  But I am on ADSL so my setup is too unlike yours to really tell you much.
  If you want to test something.. let me recommend you load Teamviewer onto a computer in your LAN.. set the computer up to never sleep and then try and reach it using Teamviewer from WAN connection.. if that works.. let me recommend you stick to something of this type. Unless you are prepared to change modems with your ISP I doubt you will solve it.
  If teamviewer fails nothing is going to work.. you need to at least turn off the firewalls in both the computer and the router..
  If you don't want to leave a computer running 24/7 to accept incoming requests.. then use WD MyCloud or similar type NAS.. which are far better designed for remote access than Apple routers.. or use a cloud storage and keep files you might want there.

• IPsec for remote telephones

  I want to activate IPsec for remote telephones, I have 2 Cisco 2651 and I'm trying to configure a IPsec tunnel between them, but when I try to use the command crypto in the configure terminal doesn´t exists, Is not possible by default the configuration of IPsec in all the routers? Do I need a license or something like that? How can I know if my router support IPsec? I have Cisco IOS 12.4
  regards

  And how I can add this feature?
  Which solution do you suggest?

• VPN between XP client IPSec and IOS for remote access

  Solved.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7d54c/0
  Hi,
  I am trying to implement remote access for XP clients using their IPSec built-in feature and my 805 router configured with dynamic crypto map, but it's not working. Apparently the remote client IKE phase1 is successful but it stucks there.
  Does any one face it before.
  The client is behind a adsl router but I am allowing the traffic 500 through it and I am not seeing traffic leaving the cisco router. So it's in the 805.
  Thanks in advance
  David

  If you setup a VPN server on your Mac (server) at home, and configure it to root all traffic via the VPN connection by defining the network 0.0.0.0 as being 'private' this will cause all traffic to go via your home Mac and therefore bypass the hospital filter.
  You can test this by going to the following address when not connected to the VPN and after connecting to the VPN, the public IP address should change to show when connected to the VPN the public IP address becomes your home address.
  See http://www.whatismyip.com (or similar site)
  This approach can also get round 'geo-ip' protection. For example if your abroad on holiday and still want to get access to BBC iPlayer or Hulu.

• Help For Remote Access Via VPN

  Need Help
  what cisco product or router specification or model  can we use for VPN connection in our remote site via Internet Connection
  thanks Godbless

  There are several options here, but more information is probably needed to give a good recommendation.
  1.  What type of VPN?  A site to site VPN that stays up, or remote VPN that is more on demand?
  2.  What type of Internet access to have at your remote site?
  3.  Are you going to also use this as a gateway to the Internet or will this device sit to the side or behind your gateway?
  My first inclination is that if you just need occasional remote access to your remote site for support issues check out the ASA 5505.  Depending on where you will place it and what amount of user traffic will flow through it, you may be able to get by with just a base license and use IPSec remote VPN. 
  If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

• Routing Issue for Remote Access Clients over Site to Site VPN tunnels

  I have a customer that told me that Cisco has an issue when a customer has a topology of let's say 3 sites that have site to site tunnels built and a Remote Access client connects to site A and needs resources at Site B but the PIX won't route to that site. Has this been fixed in the ASA?

  Patrick, that was indeed true for a long time.
  But now it is fixed in PIX and ASA version 7.x.
  Please refer to this document for details:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml